My WordPress Site Has Been Hacked! Help!

Recently our website was hacked and defaced. We should have been on alert as the Google Webmaster website sent us a message to update our WordPress site to the latest version, which is the first time they sent us a warning in all the years we have been registered with them. That alone should have been enough to get us to do something, but alas we had other things on the agenda, and didn’t get around to it. Bad move.

We were hacked and most likely you were hacked by a script, an automated job cycling through web addresses to see if they have a vulnerable version of WordPress, if they find one they normally deface the last post or two with the mandatory “You were hacked by Scr1ptK1ddy” message. While initially shocking, it is not too difficult to recover from this defacement.

WordPress is essentially made up of four critical components, the WordPress files, your WordPress Theme, WordPress Plugins and your content. In step one you will updated to the latest version of the WordPress files, so you don’t get hacked again, step two you will recover your content to the version it was before your website was defaced, step three you will update your plugins to ensure continued functionality with the latest version of WordPress and step four you will check your theme hasn’t been tampered with.

If you follow the steps below you should be able to quickly recover from the hack and protect yourself from future attacks.

Step 1 – Update your WordPress software

As soon as WordPress gets hacked the word get out pretty quickly and patches that plug the vulnerability are created to stop the hacks, so it is critical you update your WordPress to the latest version, before doing anything else.

If you login as an Admin you will be able to go to your dashboard and check the “At a Glance” section which will tell you your current version of WordPress. You can see from the image below you can see we are currently running WordPress 4.7.2. If you are running WordPress 4.7.0 or WordPress 4.7.1, that’s bad, they have vulnerabilities, upgrade now.

I wouldn’t worry too much about the backup if the site has already been hacked, cause you would just be backing up the hacked site, but whatever works for you.

Step 2 – Recover Hacked Content

Once you have been hacked they will deface your site, replacing your content with there own message. If it is script kiddies, they will likely change the last post or the front page. Fortunately WordPress has version control on content. That means we can go back to a previous version, i.e the non hacked version, of the content. Your content/posts are stored in a database, so if you make a change, or the bad guys make a change, the database just keeps a copy of the change in case you want to revert back to the old version.

First you need to work out what content has been changed, to do that click on the “Posts” Menu and select “All Posts”.

You should see a list of all your posts, with columns for the Title, Author, Categories, Tags, Comments and Date. The important column here is the Date column, by click on the column heading you can see the posts with the latest changes at the top of the list. That way you can identify posts that have recently been changed, you know, changed by the bad guys.

If you click on the post title and scroll all the way to the bottom of the post you will see a sectioned called “Revisions”, this is every revision or version of your post.

If it has no name next to the revision that is a hacked page, you can see from the above image this page was hacked eight separate times. If you click on the revision date and time you can see the original content on the left and the changed version on the right.

There is even a scroll bar at the top, middle, where you can scroll back through the different versions of the webpage to see exactly when it first got hacked. When you find a version on the left that is the latest non-hacked version of your content you can click on the “Restore this Revision” button on the top right of the screen and your content will be recovered to this version.

Step 3 – Update Your Plugins

Now you have updated your WordPress site to the latest version you need to ensure your Plugins are still compatible and functioning. Within the Admin console you can click the “Plugins” menu, where it should inform you just below your plugin name if you need to upgrade, such as the below message:

There is a new version of Any Mobile Theme Switcher available. View version 2.1 details or update now.

If you click “update now” it will install the latest compatible version and you will be good to go.

Step 4 – Verify Your Theme

Your Theme controls what your website looks like, the style of your website. While it is unlikely this has been changed by the bad guys, it is possible, so go to your website and check the layout, does it look right? Are all the widgets in the right place?

If not, login in as Admin and select “Appearance” from the menu, this will allow you to select a new Theme or customise the existing one so you can change it back to what you were expecting.

Step 5 – Register with Google Webmaster Site

Finally, to ensure you get warning messages about any potential threats I recommended that you register with Googles Webmaster website. It allows you to take ownership of your website and will warn you if there are any security issues, like an outdated, vulnerable version of WordPress, or if there is any hacked content on your site.